dcrat | b8c9a273058d6214aeccc822fb5f304edc734bd57a4ac43450feeacef70fafb8

Analysis

max time kernel
118s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16/12/2024, 02:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8c9a273058d6214aeccc822fb5f304edc734bd57a4ac43450feeacef70fafb8.exe
Size

4.6MB
MD5

8576f95a0e018025e8b46367ae311e83
SHA1

0d1c5e913dcc60910e454416e3c149c9d05f02f5
SHA256

b8c9a273058d6214aeccc822fb5f304edc734bd57a4ac43450feeacef70fafb8
SHA512

ef30324c2f5afdfe3639e7322e8e1845e661d55cd4ffff6f7bf65c85e8ac23d5d7c5b92f39d1807c9524a5fb29b21b45249a617f63f0e35ecd3803edd6dc7f30
SSDEEP

98304:d++ALvAvoV3JDBQSBK5f7a6uBt9iofavIah:TmvvV5DpQ7a6ugoCvIw

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Executes dropped EXE 5 IoCs

pid	Process
3028	Bootstrapper.exe
2064	DCRatBuild.exe
1208	Process not Found
2864	Mscrt.exe
2184	Mscrt.exe

Loads dropped DLL 10 IoCs

pid	Process
2368	b8c9a273058d6214aeccc822fb5f304edc734bd57a4ac43450feeacef70fafb8.exe
2368	b8c9a273058d6214aeccc822fb5f304edc734bd57a4ac43450feeacef70fafb8.exe
2328	Process not Found
2988	cmd.exe
2988	cmd.exe
2356	WerFault.exe
2356	WerFault.exe
2356	WerFault.exe
2356	WerFault.exe
2356	WerFault.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Uninstall Information\conhost.exe	Mscrt.exe
File created	C:\Program Files\Uninstall Information\088424020bedd6	Mscrt.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Resources\Themes\Aero\088424020bedd6	Mscrt.exe
File created	C:\Windows\Resources\Themes\Aero\conhost.exe	Mscrt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b8c9a273058d6214aeccc822fb5f304edc734bd57a4ac43450feeacef70fafb8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DCRatBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
828	PING.EXE

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2748	ipconfig.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
828	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2864	Mscrt.exe
2864	Mscrt.exe
2864	Mscrt.exe
2864	Mscrt.exe
2864	Mscrt.exe
2864	Mscrt.exe
2864	Mscrt.exe
2864	Mscrt.exe
2864	Mscrt.exe
2864	Mscrt.exe
2864	Mscrt.exe
2864	Mscrt.exe
2864	Mscrt.exe
2864	Mscrt.exe
2864	Mscrt.exe
2864	Mscrt.exe
2864	Mscrt.exe
2864	Mscrt.exe
2864	Mscrt.exe
2864	Mscrt.exe
2864	Mscrt.exe
2864	Mscrt.exe
2864	Mscrt.exe
2864	Mscrt.exe
2864	Mscrt.exe
2864	Mscrt.exe
2864	Mscrt.exe
2864	Mscrt.exe
2864	Mscrt.exe
2864	Mscrt.exe
2864	Mscrt.exe
2864	Mscrt.exe
2864	Mscrt.exe
2864	Mscrt.exe
2864	Mscrt.exe
2864	Mscrt.exe
2864	Mscrt.exe
2864	Mscrt.exe
2864	Mscrt.exe
2864	Mscrt.exe
2864	Mscrt.exe
2864	Mscrt.exe
2864	Mscrt.exe
2864	Mscrt.exe
2864	Mscrt.exe
2864	Mscrt.exe
2864	Mscrt.exe
2864	Mscrt.exe
2864	Mscrt.exe
2864	Mscrt.exe
2864	Mscrt.exe
2864	Mscrt.exe
2864	Mscrt.exe
2864	Mscrt.exe
2864	Mscrt.exe
2864	Mscrt.exe
2864	Mscrt.exe
2864	Mscrt.exe
2864	Mscrt.exe
2864	Mscrt.exe
2864	Mscrt.exe
2864	Mscrt.exe
2864	Mscrt.exe
2864	Mscrt.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	2864	Mscrt.exe
Token: SeIncreaseQuotaPrivilege	1536	WMIC.exe
Token: SeSecurityPrivilege	1536	WMIC.exe
Token: SeTakeOwnershipPrivilege	1536	WMIC.exe
Token: SeLoadDriverPrivilege	1536	WMIC.exe
Token: SeSystemProfilePrivilege	1536	WMIC.exe
Token: SeSystemtimePrivilege	1536	WMIC.exe
Token: SeProfSingleProcessPrivilege	1536	WMIC.exe
Token: SeIncBasePriorityPrivilege	1536	WMIC.exe
Token: SeCreatePagefilePrivilege	1536	WMIC.exe
Token: SeBackupPrivilege	1536	WMIC.exe
Token: SeRestorePrivilege	1536	WMIC.exe
Token: SeShutdownPrivilege	1536	WMIC.exe
Token: SeDebugPrivilege	1536	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1536	WMIC.exe
Token: SeRemoteShutdownPrivilege	1536	WMIC.exe
Token: SeUndockPrivilege	1536	WMIC.exe
Token: SeManageVolumePrivilege	1536	WMIC.exe
Token: 33	1536	WMIC.exe
Token: 34	1536	WMIC.exe
Token: 35	1536	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1536	WMIC.exe
Token: SeSecurityPrivilege	1536	WMIC.exe
Token: SeTakeOwnershipPrivilege	1536	WMIC.exe
Token: SeLoadDriverPrivilege	1536	WMIC.exe
Token: SeSystemProfilePrivilege	1536	WMIC.exe
Token: SeSystemtimePrivilege	1536	WMIC.exe
Token: SeProfSingleProcessPrivilege	1536	WMIC.exe
Token: SeIncBasePriorityPrivilege	1536	WMIC.exe
Token: SeCreatePagefilePrivilege	1536	WMIC.exe
Token: SeBackupPrivilege	1536	WMIC.exe
Token: SeRestorePrivilege	1536	WMIC.exe
Token: SeShutdownPrivilege	1536	WMIC.exe
Token: SeDebugPrivilege	1536	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1536	WMIC.exe
Token: SeRemoteShutdownPrivilege	1536	WMIC.exe
Token: SeUndockPrivilege	1536	WMIC.exe
Token: SeManageVolumePrivilege	1536	WMIC.exe
Token: 33	1536	WMIC.exe
Token: 34	1536	WMIC.exe
Token: 35	1536	WMIC.exe
Token: SeDebugPrivilege	3028	Bootstrapper.exe
Token: SeDebugPrivilege	2184	Mscrt.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 3028	2368	b8c9a273058d6214aeccc822fb5f304edc734bd57a4ac43450feeacef70fafb8.exe	30
PID 2368 wrote to memory of 3028	2368	b8c9a273058d6214aeccc822fb5f304edc734bd57a4ac43450feeacef70fafb8.exe	30
PID 2368 wrote to memory of 3028	2368	b8c9a273058d6214aeccc822fb5f304edc734bd57a4ac43450feeacef70fafb8.exe	30
PID 2368 wrote to memory of 3028	2368	b8c9a273058d6214aeccc822fb5f304edc734bd57a4ac43450feeacef70fafb8.exe	30
PID 2368 wrote to memory of 2064	2368	b8c9a273058d6214aeccc822fb5f304edc734bd57a4ac43450feeacef70fafb8.exe	32
PID 2368 wrote to memory of 2064	2368	b8c9a273058d6214aeccc822fb5f304edc734bd57a4ac43450feeacef70fafb8.exe	32
PID 2368 wrote to memory of 2064	2368	b8c9a273058d6214aeccc822fb5f304edc734bd57a4ac43450feeacef70fafb8.exe	32
PID 2368 wrote to memory of 2064	2368	b8c9a273058d6214aeccc822fb5f304edc734bd57a4ac43450feeacef70fafb8.exe	32
PID 2064 wrote to memory of 1744	2064	DCRatBuild.exe	33
PID 2064 wrote to memory of 1744	2064	DCRatBuild.exe	33
PID 2064 wrote to memory of 1744	2064	DCRatBuild.exe	33
PID 2064 wrote to memory of 1744	2064	DCRatBuild.exe	33
PID 3028 wrote to memory of 2268	3028	Bootstrapper.exe	34
PID 3028 wrote to memory of 2268	3028	Bootstrapper.exe	34
PID 3028 wrote to memory of 2268	3028	Bootstrapper.exe	34
PID 2268 wrote to memory of 2748	2268	cmd.exe	36
PID 2268 wrote to memory of 2748	2268	cmd.exe	36
PID 2268 wrote to memory of 2748	2268	cmd.exe	36
PID 1744 wrote to memory of 2988	1744	WScript.exe	37
PID 1744 wrote to memory of 2988	1744	WScript.exe	37
PID 1744 wrote to memory of 2988	1744	WScript.exe	37
PID 1744 wrote to memory of 2988	1744	WScript.exe	37
PID 2988 wrote to memory of 2864	2988	cmd.exe	39
PID 2988 wrote to memory of 2864	2988	cmd.exe	39
PID 2988 wrote to memory of 2864	2988	cmd.exe	39
PID 2988 wrote to memory of 2864	2988	cmd.exe	39
PID 2864 wrote to memory of 1880	2864	Mscrt.exe	41
PID 2864 wrote to memory of 1880	2864	Mscrt.exe	41
PID 2864 wrote to memory of 1880	2864	Mscrt.exe	41
PID 1880 wrote to memory of 1908	1880	cmd.exe	43
PID 1880 wrote to memory of 1908	1880	cmd.exe	43
PID 1880 wrote to memory of 1908	1880	cmd.exe	43
PID 1880 wrote to memory of 828	1880	cmd.exe	44
PID 1880 wrote to memory of 828	1880	cmd.exe	44
PID 1880 wrote to memory of 828	1880	cmd.exe	44
PID 3028 wrote to memory of 1952	3028	Bootstrapper.exe	45
PID 3028 wrote to memory of 1952	3028	Bootstrapper.exe	45
PID 3028 wrote to memory of 1952	3028	Bootstrapper.exe	45
PID 1952 wrote to memory of 1536	1952	cmd.exe	47
PID 1952 wrote to memory of 1536	1952	cmd.exe	47
PID 1952 wrote to memory of 1536	1952	cmd.exe	47
PID 3028 wrote to memory of 2356	3028	Bootstrapper.exe	49
PID 3028 wrote to memory of 2356	3028	Bootstrapper.exe	49
PID 3028 wrote to memory of 2356	3028	Bootstrapper.exe	49
PID 1880 wrote to memory of 2184	1880	cmd.exe	50
PID 1880 wrote to memory of 2184	1880	cmd.exe	50
PID 1880 wrote to memory of 2184	1880	cmd.exe	50

C:\Users\Admin\AppData\Local\Temp\b8c9a273058d6214aeccc822fb5f304edc734bd57a4ac43450feeacef70fafb8.exe
"C:\Users\Admin\AppData\Local\Temp\b8c9a273058d6214aeccc822fb5f304edc734bd57a4ac43450feeacef70fafb8.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
  "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Windows\system32\cmd.exe
    "cmd" /c ipconfig /all
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2268
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:2748
- - C:\Windows\system32\cmd.exe
    "cmd" /c wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1952
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1536
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 3028 -s 1128
    3⤵
    - Loads dropped DLL
    PID:2356
- C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
  "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\ComponentReviewperfmonitor\Uq2tX7p25HNYhIggX0PpAZXDUcRcexvQlwrHhzLqWtjOjit.vbe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1744
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\ComponentReviewperfmonitor\QUMJYJlT6Ngt.bat" "
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2988
    - - C:\ComponentReviewperfmonitor\Mscrt.exe
        
        "C:\ComponentReviewperfmonitor/Mscrt.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2864
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NzfEtFrhjY.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1908
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:828
        
        C:\ComponentReviewperfmonitor\Mscrt.exe
        
        "C:\ComponentReviewperfmonitor\Mscrt.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ComponentReviewperfmonitor\QUMJYJlT6Ngt.bat

Filesize
83B

MD5
514f93d92ae221458937c720626b46b3

SHA1
608eabeab6fd1b15449452c146dca0e08421b3e5

SHA256
630c846609cc08488485cd976ca51355f8c43666d59186df6936747ce06d383f

SHA512
83ec92c38be82ffb0e817ac97e545ef8c83c19e891474ca78fe469fe99da63a5e00c38449d04a7de31be543c64a99adb5732d2e7d966eaccc23998666e7aae28

Download Submit
C:\ComponentReviewperfmonitor\Uq2tX7p25HNYhIggX0PpAZXDUcRcexvQlwrHhzLqWtjOjit.vbe

Filesize
216B

MD5
27f28b26b1a641e515a8c84280fc4638

SHA1
103d1e3b99c8900e4fde8cf88e91e9a30132e614

SHA256
7610dec18100d028feb67fd231ced9f363ffcf79a8788d8b37c909c5393bbd58

SHA512
aa2025dd4ffa8dd73838d10b6b2bd9b1a197ded1d4aa04645a2e51d33b5ee3d970c8b8dbeebfe2f23d728ccea83d63ca40501822ba57dde477ede93340c398c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\NzfEtFrhjY.bat

Filesize
167B

MD5
0c44186d2378e48aab6889ac92c116c7

SHA1
adcc371a321fea8e6fe4716d5888796e44ccb84b

SHA256
6f5fd3170fbc91988313c978af9eb3ab56b964827e9e680f7d7a3072ff4b2b41

SHA512
cbb9c801e706a5b22d74f95b7cf0982f43e3484749152f2da6a3331252bc8609745c42b5f7d8f0c6050ff7dd5335a9c0e9bdf1b90b7d8da61b8e0f4d7caa983c

Download Submit
\ComponentReviewperfmonitor\Mscrt.exe

Filesize
3.5MB

MD5
e7870cd0c30a52066c454c15a5a5a2f5

SHA1
fc64203e05c104a116e7e4c354c9ee77c99737d6

SHA256
e4a958444e72eb1b3be02f3a8bf29044a81f328405a4969a4f66515ef219774e

SHA512
3e0a40959eaba1fbf3cb7a11707bc658421f3066e4e1beea56088ac213c10524127d4d9e2500e549a1ee608887c113973892d54fb91fae6ea9db4eb9e818bebe

Download Submit
\Users\Admin\AppData\Local\Temp\Bootstrapper.exe

Filesize
800KB

MD5
02c70d9d6696950c198db93b7f6a835e

SHA1
30231a467a49cc37768eea0f55f4bea1cbfb48e2

SHA256
8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3

SHA512
431d9b9918553bff4f4a5bc2a5e7b7015f8ad0e2d390bb4d5264d08983372424156524ef5587b24b67d1226856fc630aaca08edc8113097e0094501b4f08efeb

Download Submit
\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

Filesize
3.8MB

MD5
4680b7118d5d69d9d9aca7265a07fa8b

SHA1
47036b3ed3f8ac995680bb6e9d12c91d30d840be

SHA256
98b1a4b0f9d10a1310b30401147cbd7fbb328f03f00c4dd31b99ab6bedf651ff

SHA512
6593078d884dd5eeefb528c388dfd05f528b03d35b93e47ed73ed27ff35769b6ef5991dd837cb398a44139a35407ab0917bda82b90a39ed1eecab2a99cd1f3d7

Download Submit
memory/2184-97-0x0000000001350000-0x00000000016DE000-memory.dmp

Filesize
3.6MB

Download
memory/2368-10-0x0000000000400000-0x00000000008A8000-memory.dmp

Filesize
4.7MB

Download
memory/2864-48-0x0000000000600000-0x0000000000612000-memory.dmp

Filesize
72KB

Download
memory/2864-54-0x0000000000B10000-0x0000000000B22000-memory.dmp

Filesize
72KB

Download
memory/2864-36-0x0000000000420000-0x000000000043C000-memory.dmp

Filesize
112KB

Download
memory/2864-38-0x0000000000410000-0x0000000000420000-memory.dmp

Filesize
64KB

Download
memory/2864-40-0x00000000005C0000-0x00000000005D8000-memory.dmp

Filesize
96KB

Download
memory/2864-42-0x0000000000580000-0x0000000000590000-memory.dmp

Filesize
64KB

Download
memory/2864-44-0x00000000005A0000-0x00000000005B0000-memory.dmp

Filesize
64KB

Download
memory/2864-46-0x00000000005B0000-0x00000000005BE000-memory.dmp

Filesize
56KB

Download
memory/2864-32-0x0000000000550000-0x0000000000576000-memory.dmp

Filesize
152KB

Download
memory/2864-50-0x00000000005E0000-0x00000000005F0000-memory.dmp

Filesize
64KB

Download
memory/2864-52-0x0000000000AF0000-0x0000000000B06000-memory.dmp

Filesize
88KB

Download
memory/2864-34-0x00000000003F0000-0x00000000003FE000-memory.dmp

Filesize
56KB

Download
memory/2864-56-0x00000000005F0000-0x00000000005FE000-memory.dmp

Filesize
56KB

Download
memory/2864-58-0x0000000000620000-0x0000000000630000-memory.dmp

Filesize
64KB

Download
memory/2864-60-0x0000000000AD0000-0x0000000000AE0000-memory.dmp

Filesize
64KB

Download
memory/2864-62-0x000000001AA30000-0x000000001AA8A000-memory.dmp

Filesize
360KB

Download
memory/2864-64-0x0000000000AE0000-0x0000000000AEE000-memory.dmp

Filesize
56KB

Download
memory/2864-66-0x0000000000B30000-0x0000000000B40000-memory.dmp

Filesize
64KB

Download
memory/2864-68-0x0000000000B40000-0x0000000000B4E000-memory.dmp

Filesize
56KB

Download
memory/2864-70-0x0000000002300000-0x0000000002318000-memory.dmp

Filesize
96KB

Download
memory/2864-72-0x0000000000B50000-0x0000000000B5C000-memory.dmp

Filesize
48KB

Download
memory/2864-74-0x000000001AE80000-0x000000001AECE000-memory.dmp

Filesize
312KB

Download
memory/2864-30-0x0000000000B70000-0x0000000000EFE000-memory.dmp

Filesize
3.6MB

Download
memory/3028-22-0x0000000000F20000-0x0000000000FEE000-memory.dmp

Filesize
824KB

Download