dcrat | b8c9a273058d6214aeccc822fb5f304edc734bd57a4ac43450feeacef70fafb8

Analysis

max time kernel
120s
max time network
149s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
15-12-2024 03:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8576F95A0E018025E8B46367AE311E83.exe
Size

4.6MB
MD5

8576f95a0e018025e8b46367ae311e83
SHA1

0d1c5e913dcc60910e454416e3c149c9d05f02f5
SHA256

b8c9a273058d6214aeccc822fb5f304edc734bd57a4ac43450feeacef70fafb8
SHA512

ef30324c2f5afdfe3639e7322e8e1845e661d55cd4ffff6f7bf65c85e8ac23d5d7c5b92f39d1807c9524a5fb29b21b45249a617f63f0e35ecd3803edd6dc7f30
SSDEEP

98304:d++ALvAvoV3JDBQSBK5f7a6uBt9iofavIah:TmvvV5DpQ7a6ugoCvIw

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Executes dropped EXE 5 IoCs

pid	Process
2384	Bootstrapper.exe
2040	DCRatBuild.exe
1204	Process not Found
2776	Mscrt.exe
2532	Mscrt.exe

Loads dropped DLL 10 IoCs

pid	Process
1732	8576F95A0E018025E8B46367AE311E83.exe
1732	8576F95A0E018025E8B46367AE311E83.exe
2540	Process not Found
2068	cmd.exe
2068	cmd.exe
2572	WerFault.exe
2572	WerFault.exe
2572	WerFault.exe
2572	WerFault.exe
2572	WerFault.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\Idle.exe	Mscrt.exe
File created	C:\Program Files\Internet Explorer\6ccacd8608530f	Mscrt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8576F95A0E018025E8B46367AE311E83.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DCRatBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2868	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2776	Mscrt.exe
2776	Mscrt.exe
2776	Mscrt.exe
2776	Mscrt.exe
2776	Mscrt.exe
2776	Mscrt.exe
2776	Mscrt.exe
2776	Mscrt.exe
2776	Mscrt.exe
2776	Mscrt.exe
2776	Mscrt.exe
2776	Mscrt.exe
2776	Mscrt.exe
2776	Mscrt.exe
2776	Mscrt.exe
2776	Mscrt.exe
2776	Mscrt.exe
2776	Mscrt.exe
2776	Mscrt.exe
2776	Mscrt.exe
2776	Mscrt.exe
2776	Mscrt.exe
2776	Mscrt.exe
2776	Mscrt.exe
2776	Mscrt.exe
2776	Mscrt.exe
2776	Mscrt.exe
2776	Mscrt.exe
2776	Mscrt.exe
2776	Mscrt.exe
2776	Mscrt.exe
2776	Mscrt.exe
2776	Mscrt.exe
2776	Mscrt.exe
2776	Mscrt.exe
2776	Mscrt.exe
2776	Mscrt.exe
2776	Mscrt.exe
2776	Mscrt.exe
2776	Mscrt.exe
2776	Mscrt.exe
2776	Mscrt.exe
2776	Mscrt.exe
2776	Mscrt.exe
2776	Mscrt.exe
2776	Mscrt.exe
2776	Mscrt.exe
2776	Mscrt.exe
2776	Mscrt.exe
2776	Mscrt.exe
2776	Mscrt.exe
2776	Mscrt.exe
2776	Mscrt.exe
2776	Mscrt.exe
2776	Mscrt.exe
2776	Mscrt.exe
2776	Mscrt.exe
2776	Mscrt.exe
2776	Mscrt.exe
2776	Mscrt.exe
2776	Mscrt.exe
2776	Mscrt.exe
2776	Mscrt.exe
2776	Mscrt.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	2776	Mscrt.exe
Token: SeIncreaseQuotaPrivilege	1328	WMIC.exe
Token: SeSecurityPrivilege	1328	WMIC.exe
Token: SeTakeOwnershipPrivilege	1328	WMIC.exe
Token: SeLoadDriverPrivilege	1328	WMIC.exe
Token: SeSystemProfilePrivilege	1328	WMIC.exe
Token: SeSystemtimePrivilege	1328	WMIC.exe
Token: SeProfSingleProcessPrivilege	1328	WMIC.exe
Token: SeIncBasePriorityPrivilege	1328	WMIC.exe
Token: SeCreatePagefilePrivilege	1328	WMIC.exe
Token: SeBackupPrivilege	1328	WMIC.exe
Token: SeRestorePrivilege	1328	WMIC.exe
Token: SeShutdownPrivilege	1328	WMIC.exe
Token: SeDebugPrivilege	1328	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1328	WMIC.exe
Token: SeRemoteShutdownPrivilege	1328	WMIC.exe
Token: SeUndockPrivilege	1328	WMIC.exe
Token: SeManageVolumePrivilege	1328	WMIC.exe
Token: 33	1328	WMIC.exe
Token: 34	1328	WMIC.exe
Token: 35	1328	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1328	WMIC.exe
Token: SeSecurityPrivilege	1328	WMIC.exe
Token: SeTakeOwnershipPrivilege	1328	WMIC.exe
Token: SeLoadDriverPrivilege	1328	WMIC.exe
Token: SeSystemProfilePrivilege	1328	WMIC.exe
Token: SeSystemtimePrivilege	1328	WMIC.exe
Token: SeProfSingleProcessPrivilege	1328	WMIC.exe
Token: SeIncBasePriorityPrivilege	1328	WMIC.exe
Token: SeCreatePagefilePrivilege	1328	WMIC.exe
Token: SeBackupPrivilege	1328	WMIC.exe
Token: SeRestorePrivilege	1328	WMIC.exe
Token: SeShutdownPrivilege	1328	WMIC.exe
Token: SeDebugPrivilege	1328	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1328	WMIC.exe
Token: SeRemoteShutdownPrivilege	1328	WMIC.exe
Token: SeUndockPrivilege	1328	WMIC.exe
Token: SeManageVolumePrivilege	1328	WMIC.exe
Token: 33	1328	WMIC.exe
Token: 34	1328	WMIC.exe
Token: 35	1328	WMIC.exe
Token: SeDebugPrivilege	2384	Bootstrapper.exe
Token: SeDebugPrivilege	2532	Mscrt.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 2384	1732	8576F95A0E018025E8B46367AE311E83.exe	30
PID 1732 wrote to memory of 2384	1732	8576F95A0E018025E8B46367AE311E83.exe	30
PID 1732 wrote to memory of 2384	1732	8576F95A0E018025E8B46367AE311E83.exe	30
PID 1732 wrote to memory of 2384	1732	8576F95A0E018025E8B46367AE311E83.exe	30
PID 1732 wrote to memory of 2040	1732	8576F95A0E018025E8B46367AE311E83.exe	32
PID 1732 wrote to memory of 2040	1732	8576F95A0E018025E8B46367AE311E83.exe	32
PID 1732 wrote to memory of 2040	1732	8576F95A0E018025E8B46367AE311E83.exe	32
PID 1732 wrote to memory of 2040	1732	8576F95A0E018025E8B46367AE311E83.exe	32
PID 2040 wrote to memory of 2304	2040	DCRatBuild.exe	33
PID 2040 wrote to memory of 2304	2040	DCRatBuild.exe	33
PID 2040 wrote to memory of 2304	2040	DCRatBuild.exe	33
PID 2040 wrote to memory of 2304	2040	DCRatBuild.exe	33
PID 2384 wrote to memory of 2800	2384	Bootstrapper.exe	34
PID 2384 wrote to memory of 2800	2384	Bootstrapper.exe	34
PID 2384 wrote to memory of 2800	2384	Bootstrapper.exe	34
PID 2800 wrote to memory of 2868	2800	cmd.exe	36
PID 2800 wrote to memory of 2868	2800	cmd.exe	36
PID 2800 wrote to memory of 2868	2800	cmd.exe	36
PID 2304 wrote to memory of 2068	2304	WScript.exe	37
PID 2304 wrote to memory of 2068	2304	WScript.exe	37
PID 2304 wrote to memory of 2068	2304	WScript.exe	37
PID 2304 wrote to memory of 2068	2304	WScript.exe	37
PID 2068 wrote to memory of 2776	2068	cmd.exe	39
PID 2068 wrote to memory of 2776	2068	cmd.exe	39
PID 2068 wrote to memory of 2776	2068	cmd.exe	39
PID 2068 wrote to memory of 2776	2068	cmd.exe	39
PID 2776 wrote to memory of 2576	2776	Mscrt.exe	41
PID 2776 wrote to memory of 2576	2776	Mscrt.exe	41
PID 2776 wrote to memory of 2576	2776	Mscrt.exe	41
PID 2576 wrote to memory of 2508	2576	cmd.exe	43
PID 2576 wrote to memory of 2508	2576	cmd.exe	43
PID 2576 wrote to memory of 2508	2576	cmd.exe	43
PID 2576 wrote to memory of 2400	2576	cmd.exe	44
PID 2576 wrote to memory of 2400	2576	cmd.exe	44
PID 2576 wrote to memory of 2400	2576	cmd.exe	44
PID 2384 wrote to memory of 1676	2384	Bootstrapper.exe	45
PID 2384 wrote to memory of 1676	2384	Bootstrapper.exe	45
PID 2384 wrote to memory of 1676	2384	Bootstrapper.exe	45
PID 1676 wrote to memory of 1328	1676	cmd.exe	47
PID 1676 wrote to memory of 1328	1676	cmd.exe	47
PID 1676 wrote to memory of 1328	1676	cmd.exe	47
PID 2384 wrote to memory of 2572	2384	Bootstrapper.exe	49
PID 2384 wrote to memory of 2572	2384	Bootstrapper.exe	49
PID 2384 wrote to memory of 2572	2384	Bootstrapper.exe	49
PID 2576 wrote to memory of 2532	2576	cmd.exe	50
PID 2576 wrote to memory of 2532	2576	cmd.exe	50
PID 2576 wrote to memory of 2532	2576	cmd.exe	50

C:\Users\Admin\AppData\Local\Temp\8576F95A0E018025E8B46367AE311E83.exe
"C:\Users\Admin\AppData\Local\Temp\8576F95A0E018025E8B46367AE311E83.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
  "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Windows\system32\cmd.exe
    "cmd" /c ipconfig /all
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:2868
- - C:\Windows\system32\cmd.exe
    "cmd" /c wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1676
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1328
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2384 -s 1128
    3⤵
    - Loads dropped DLL
    PID:2572
- C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
  "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\ComponentReviewperfmonitor\Uq2tX7p25HNYhIggX0PpAZXDUcRcexvQlwrHhzLqWtjOjit.vbe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2304
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\ComponentReviewperfmonitor\QUMJYJlT6Ngt.bat" "
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2068
    - - C:\ComponentReviewperfmonitor\Mscrt.exe
        
        "C:\ComponentReviewperfmonitor/Mscrt.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2776
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2yTZZfxkbv.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2508
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2400
        
        C:\ComponentReviewperfmonitor\Mscrt.exe
        
        "C:\ComponentReviewperfmonitor\Mscrt.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ComponentReviewperfmonitor\Mscrt.exe

Filesize
3.5MB

MD5
e7870cd0c30a52066c454c15a5a5a2f5

SHA1
fc64203e05c104a116e7e4c354c9ee77c99737d6

SHA256
e4a958444e72eb1b3be02f3a8bf29044a81f328405a4969a4f66515ef219774e

SHA512
3e0a40959eaba1fbf3cb7a11707bc658421f3066e4e1beea56088ac213c10524127d4d9e2500e549a1ee608887c113973892d54fb91fae6ea9db4eb9e818bebe

Download Submit
C:\ComponentReviewperfmonitor\QUMJYJlT6Ngt.bat

Filesize
83B

MD5
514f93d92ae221458937c720626b46b3

SHA1
608eabeab6fd1b15449452c146dca0e08421b3e5

SHA256
630c846609cc08488485cd976ca51355f8c43666d59186df6936747ce06d383f

SHA512
83ec92c38be82ffb0e817ac97e545ef8c83c19e891474ca78fe469fe99da63a5e00c38449d04a7de31be543c64a99adb5732d2e7d966eaccc23998666e7aae28

Download Submit
C:\ComponentReviewperfmonitor\Uq2tX7p25HNYhIggX0PpAZXDUcRcexvQlwrHhzLqWtjOjit.vbe

Filesize
216B

MD5
27f28b26b1a641e515a8c84280fc4638

SHA1
103d1e3b99c8900e4fde8cf88e91e9a30132e614

SHA256
7610dec18100d028feb67fd231ced9f363ffcf79a8788d8b37c909c5393bbd58

SHA512
aa2025dd4ffa8dd73838d10b6b2bd9b1a197ded1d4aa04645a2e51d33b5ee3d970c8b8dbeebfe2f23d728ccea83d63ca40501822ba57dde477ede93340c398c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2yTZZfxkbv.bat

Filesize
215B

MD5
1ea2e07ccb8c83804e047095058b50fd

SHA1
a1344e2b804a22a7d213561d18087e9089d5b363

SHA256
d44b688293fe69304b18f26f887a799f20b1c7139d5aae69c14ea6419f1504b8

SHA512
31c269e63565fd690e91bfcfc0bf65b27f90c6670ea936d6ad03412cf0af3dbad9c8352d63150c8e15827a96a58c7e0d3731a898c666cfd0cce85ad8ca49118a

Download Submit
\Users\Admin\AppData\Local\Temp\Bootstrapper.exe

Filesize
800KB

MD5
02c70d9d6696950c198db93b7f6a835e

SHA1
30231a467a49cc37768eea0f55f4bea1cbfb48e2

SHA256
8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3

SHA512
431d9b9918553bff4f4a5bc2a5e7b7015f8ad0e2d390bb4d5264d08983372424156524ef5587b24b67d1226856fc630aaca08edc8113097e0094501b4f08efeb

Download Submit
\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

Filesize
3.8MB

MD5
4680b7118d5d69d9d9aca7265a07fa8b

SHA1
47036b3ed3f8ac995680bb6e9d12c91d30d840be

SHA256
98b1a4b0f9d10a1310b30401147cbd7fbb328f03f00c4dd31b99ab6bedf651ff

SHA512
6593078d884dd5eeefb528c388dfd05f528b03d35b93e47ed73ed27ff35769b6ef5991dd837cb398a44139a35407ab0917bda82b90a39ed1eecab2a99cd1f3d7

Download Submit
memory/1732-10-0x0000000000400000-0x00000000008A8000-memory.dmp

Filesize
4.7MB

Download
memory/2384-23-0x0000000000190000-0x000000000025E000-memory.dmp

Filesize
824KB

Download
memory/2532-96-0x00000000012C0000-0x000000000164E000-memory.dmp

Filesize
3.6MB

Download
memory/2776-48-0x00000000023A0000-0x00000000023B2000-memory.dmp

Filesize
72KB

Download
memory/2776-56-0x0000000002380000-0x000000000238E000-memory.dmp

Filesize
56KB

Download
memory/2776-38-0x0000000000630000-0x0000000000640000-memory.dmp

Filesize
64KB

Download
memory/2776-40-0x0000000002360000-0x0000000002378000-memory.dmp

Filesize
96KB

Download
memory/2776-42-0x0000000000640000-0x0000000000650000-memory.dmp

Filesize
64KB

Download
memory/2776-44-0x00000000022B0000-0x00000000022C0000-memory.dmp

Filesize
64KB

Download
memory/2776-46-0x00000000022C0000-0x00000000022CE000-memory.dmp

Filesize
56KB

Download
memory/2776-34-0x0000000000620000-0x000000000062E000-memory.dmp

Filesize
56KB

Download
memory/2776-50-0x00000000022D0000-0x00000000022E0000-memory.dmp

Filesize
64KB

Download
memory/2776-52-0x000000001ADC0000-0x000000001ADD6000-memory.dmp

Filesize
88KB

Download
memory/2776-54-0x000000001ADE0000-0x000000001ADF2000-memory.dmp

Filesize
72KB

Download
memory/2776-36-0x0000000002290000-0x00000000022AC000-memory.dmp

Filesize
112KB

Download
memory/2776-58-0x0000000002390000-0x00000000023A0000-memory.dmp

Filesize
64KB

Download
memory/2776-60-0x00000000023C0000-0x00000000023D0000-memory.dmp

Filesize
64KB

Download
memory/2776-62-0x000000001B3E0000-0x000000001B43A000-memory.dmp

Filesize
360KB

Download
memory/2776-64-0x0000000002450000-0x000000000245E000-memory.dmp

Filesize
56KB

Download
memory/2776-66-0x000000001AF00000-0x000000001AF10000-memory.dmp

Filesize
64KB

Download
memory/2776-68-0x000000001AF10000-0x000000001AF1E000-memory.dmp

Filesize
56KB

Download
memory/2776-70-0x000000001AF40000-0x000000001AF58000-memory.dmp

Filesize
96KB

Download
memory/2776-72-0x000000001AF20000-0x000000001AF2C000-memory.dmp

Filesize
48KB

Download
memory/2776-74-0x000000001B8F0000-0x000000001B93E000-memory.dmp

Filesize
312KB

Download
memory/2776-32-0x0000000002260000-0x0000000002286000-memory.dmp

Filesize
152KB

Download
memory/2776-30-0x0000000000150000-0x00000000004DE000-memory.dmp

Filesize
3.6MB

Download